As my time in academia shortens, day after day, I am trying to get a head start by getting certifications and really focusing my attention to security and the technologies around it. Besides this, I understand experience is important. I know how hard it is to break into security so I am going "active" in finding an internship.

I was searching on Dice, Monster, Careerbuilder, etc. and I see a lot of posts for security professionals. Now it ranges from Management, to analyst, to engineer. Any of these are ok with me, as long as I get my foot in the door. I want to know if you think it's ok that I contact the Hiring Manager about an internship. None of these job advertisements are directed towards an internship, but a lot of them read, "As a Sr. Security Engineer/Analyst/etc., You will join our security team and help secure...". "Security Team". Is it ok that I contact the Hiring Manager and say, "Hey, I read your ad and I am inquiring about a position as an intern or volunteer to your security team." list my credentials, etc.

Is this proper? Will Hiring Managers react negatively? "Oh I don't have time for this kid, what does he think he's doing, I need a Sr. Analyst now!" Mind you that somewhere in my inquiry I would be saying I'll intern for free or similar non-hassle job title.

Then my next question is, how do I go about doing it? Phone? E-Mail? Is it ok to call and ask if they are willing to take on an intern and then send my resume/cover/etc?

If any of you have hired security professionals/interns before or any of you have just gone through what I have to get into the field they love, share with me some of your insight.

I won't (can't) comment as to whether or not it is proper to contact a hiring manager directly to ask about an internship. I've contacted a hiring manager directly on several occasions about a position they were actually advertising and I know that it landed me at least one job (mom taught me that persistence in this area pays).

Some other people can chime in on this as well, but most of the people I know in security got into it through system administration/engineering or development. I got my systems engineering job through systems administration (which I got through helpdesk work). Then I later moved to development (through the systems engineering job). From there the job in security engineering and penetration testing presented itself. From personal experience I can say that most of my cohorts are in security because they took other jobs related to security.

I know my years in system administration has helped me be able to look at a system and perform live forensics. Likewise, it helps me understand the types of mistakes system admins make (when/why best practices are not observed). The development time helps me audit source code for exploits (or audit exploit source code for backdoors). It also helps me reverse engineer malware.

If someone hires you directly for a security position, good for you. If you can't find a job doing security, take what you can find and move from there. Looking back, I think I always knew I wanted to do security. For instance, on the helpdesk, I gravitated to the incident response type tickets generated by EPO. I took a lot of the security configuration and auditing duties on my system administration team. My point is that it is probably easier to find a non-security specific entry level job out of academia. If you must go that route, don't let it get you down, there's plenty to do to build your security career.

I believe that it's very difficult to be a good security person without working outside of the industry for a significant amount of time. Most great security folks I know have done exactly what former33t said, they have started in help desk, moved to sys admin, done some development, etc. Only then did they move to security.

You can look for a company that is security conscious to get started. As you establish yourself, you can take on more security-related responsibilities and go from there. That's what I did. And I would do the same if I had a chance to start over.

As far as contacting hiring mangers, what do you have to lose? All they can say is no.

I take to heart what all of you have said. I do understand other fields out there before getting to security and I am still in pursuit of that too. I was just asking if it's unethical to contact a hiring manager about a position that's not been advertised. In my standpoint (I don't know too much on how the hiring process works) if someone came up to me and asked to volunteer and work for free just to get his feet wet, I would be impressed.

As Ketchup stated, what do you have to lose? Just go for the companies which sounds interesting to you, even if they don't have a specific job opening up. I've seen quite a fee people doing so who got their job this way.

Last edited by UNIX on Tue Apr 13, 2010 12:40 am, edited 1 time in total.

just go for it! it only shows motivation and dedication to the work field! no is what you have, yes is what you can get. also check with teachers from your college. Most of them have connections which could come in handy with finding an internship. good luck! also post this in the looking for work part of this forum, you never know!

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net